3 Replies Latest reply on Jul 5, 2013 3:56 AM by RiccardoArea

    temporary files in the wwwroot-tmp detected by the antivirus as a threat despite hotfixes

    RiccardoArea

      Hello,
      We have some web servers with different operating systems (ws 2003 standard edition r2 with iis 6 and coldfusion 9.0.1 hotfix 4 and ws 2008 r2 with iis 7.5 and coldfusion 10 update 8) and for machines with coldfusion 10 we used Server Lockdown Guide.

      Last nightt
      in a period of time 15 minutes our antivirus reported some dangerous tmp files in folders:
      - CF9:
      {coldfusion_path} \ runtime \ servers \ coldfusion \ SERVER-INF \ temp \ wwwroot-tmp \
      - CF10:
      {coldfusion_path} \ cfusion \ runtime \ work \ Catalina \ localhost \ tmp \

      The only thing that I could understand from the logs is that 2 hours before attempting to write these files on the server, a client with ip 188.190.126.105 carried out on all my servers the request of the "famous" page http://server_ip/CFIDE/h.cfm going into error because there is not that page.

      Does anyone have any idea / suggestion of how it is possible that someone is still able to write these files in spite of:

      - Coldfusion 9.0.1 with Hotfix 4 and coldfusion 10 with update 8
      - The coldfusion administrator is not reachable from external ip,

      - I have not file h.cfm or i.cfm in CFIDE folder

      - All the requets of the type CFIDE/administrator are blocked
      - Sites and Coldfusion are in different logical disks
      - IIS and Coldfusion with different users
      - Not all the servers are in the same lan, but all of them have had the intrusion

       

      Thanks

        • 1. Re: temporary files in the wwwroot-tmp detected by the antivirus as a threat despite hotfixes
          Anit_Kumar Adobe Employee

          Hi,

           

          The file residing at C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp \ is not a virus. The name is alphanumeric and is a temp file.

           

          To Block /CFIDE requests

          Even if you do not have a virtual directory specified for /CFIDE on your IIS sites, the ColdFusion IIS connector will still pass through requests for /CFIDE/administrator/index.cfm. Therefore, you must explicitly block /CFIDE requests.

          IIS 7 has powerful request filtering capabilities that can enhance the security of your web server. Make sure that the Request Filtering feature is installed. Create a global Request Filtering rule for all sites on the server by editing the applicationHost.config file, which is located in the c:\windows\system32\inetsrv\config directory by default. Before editing the file, make a backup of this file.Adobe ColdFusion 9 Server Lockdown Guide 10

          This file is an XML configuration file, so all changes must result in a valid XML document. Locate the <requestFiltering> tag, which is located in the <configuration> <system.webServer> <security> <requestFiltering> hierarchy.

           

          Add a child tag to <requestFiltering> named <denyUrlSequences> with the following information:

           

          <denyUrlSequences>

          <add sequence=”/CFIDE/administrator” />

          <add sequence=”/CFIDE/adminapi”/>

          <add sequence=”/CFIDE/AIR”/>

          <add sequence=”/CFIDE/appdeployment”/>

          <add sequence=”/CFIDE/componentutils”/>

          <add sequence=”/CFIDE/debug”/>

          <add sequence=”/CFIDE/orm”/>

          <add sequence=”/CFIDE/portlets”/>

          <add sequence=”/CFIDE/probe.cfm”/>

          <add sequence=”/CFIDE/scripts”/>

          <add sequence=”/CFIDE/services”/>

          <add sequence=”/CFIDE/wizards”/>

          </denyUrlSequences>

           

          If there is already a <denyUrlSequences> tag, append the <add sequence> tags to the existing tag.

           

          Next , you must allow access to the /CFIDE/administrator URI in the cfadmin website. Create a file called web.config in the web root with the following content:

           

          <configuration>

          <system.webServer>

          <security>

          <requestFiltering>

          <denyUrlSequences>

          <remove sequence=”/CFIDE/administrator”/>

          </denyUrlSequences>

          </requestFiltering>

          </security>

          </system.webServer>

          </configuration>

           

          The above configuration overrides the global request filtering and removes the deny rule for the URI /CFIDE/administrator.

           

          Regards,

          Anit Kumar

          • 2. Re: temporary files in the wwwroot-tmp detected by the antivirus as a threat despite hotfixes
            a.s.webster

            Did you ever find a solution to your issue?  I have locked down CFIDE but every so often, my virus protection detects and deletes 10-30 files being uploaded to the ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp.  I am unable to find any POST commands in the IIS logs to determine which site on this shared server could be allowing the upload.  We are running Windows 2008R2, IIS 7.5, CF 9,0,1,274733 hotfix 4.

            • 3. Re: temporary files in the wwwroot-tmp detected by the antivirus as a threat despite hotfixes
              RiccardoArea Level 1

              you can look at this thread http://forums.adobe.com/message/5443464#5443464 the post in position 8 and on Charlie Arehart's Blog at http://www.carehart.org/blog/client/index.cfm/2006/5/7/cfform_not_doin g_upload for understanding how it is possible.

               

              The situation is that if you have a form with an input type file, when you submit the form this file is uploaded to the folder ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp even though there is not a cffile in the response page. However, if the file is in format .tmp it should not be dangerous.

               

              To limit these uploads, I realized that in the logs of iis, in the same time that the antivirus blocks the file, there is a request for the page http://myserverip/cfide/h.cfm. When you see that request, block the ip address who made it. In my case it's always the same group of 2-3 ip to make this kind of request.